cifs: prevent copying past input buffer boundaries

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Prevent copying past @data buffer in smb2_validate_and_copy_iov() as
the output buffer in @iov might be potentially bigger and thus copying
more bytes than requested in @minbufsize.

Signed-off-by: Paulo Alcantara (SUSE) <pc@cjr.nz>
Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com>
Signed-off-by: Steve French <stfrench@microsoft.com>

authored by

Paulo Alcantara and committed by

Steve French 3 years ago 9ee2afe5 69ccafdd

+2 -2

1 changed file

expand all

cifs

smb2pdu.c

+2 -2

fs/cifs/smb2pdu.c

··· 3485 3485 if (rc) 3486 3486 return rc; 3487 3487 3488 - memcpy(data, begin_of_buf, buffer_length); 3488 + memcpy(data, begin_of_buf, minbufsize); 3489 3489 3490 3490 return 0; 3491 3491 } ··· 3609 3609 3610 3610 rc = smb2_validate_and_copy_iov(le16_to_cpu(rsp->OutputBufferOffset), 3611 3611 le32_to_cpu(rsp->OutputBufferLength), 3612 - &rsp_iov, min_len, *data); 3612 + &rsp_iov, dlen ? *dlen : min_len, *data); 3613 3613 if (rc && allocated) { 3614 3614 kfree(*data); 3615 3615 *data = NULL;